CrossCert : A Cross-Checking Detection Approach to Patch Robustness Certification for Deep Learning Models
Research output: Chapters, Conference Papers, Creative and Literary Works › RGC 32 - Refereed conference paper (with host publication) › peer-review
Author(s)
Related Research Unit(s)
Detail(s)
| Original language | English |
|---|---|
| Title of host publication | Proceedings of the ACM on Software Engineering |
| Editors | Luciano Baresi |
| Place of Publication | New York, NY |
| Publisher | Association for Computing Machinery |
| Pages | 2725-2746 |
| Number of pages | 22 |
| Publication status | Published - Jul 2024 |
Publication series
| Name | Proceedings of the ACM on Software Engineering |
|---|---|
| Number | FSE |
| Volume | 1 |
| ISSN (electronic) | 2994-970X |
Conference
| Title | 32nd ACM International Conference on the Foundations of Software Engineering (FSE 2024) |
|---|---|
| Location | |
| Place | Brazil |
| City | Porto de Galinhas |
| Period | 15 - 19 July 2024 |
Link(s)
| DOI | DOI |
|---|---|
| Permanent Link | https://scholars.cityu.edu.hk/en/publications/publication(b6f533fd-18ba-4b24-9f4b-714745c94b0a).html |
Abstract
Patch robustness certification is an emerging kind of defense technique for deep learning models. It aims to enhance the reliability of these models against adversarial patch attacks with provable guarantees. There are two research lines: certified recovery and certified detection. They aim to correctly label malicious samples with provable guarantees and issue warnings for malicious samples predicted to non-benign labels with provable guarantees, respectively. However, existing certified detection defenders suffer from producing labels subject to manipulation, and existing certified recovery defenders cannot warn samples about their labels. A certified defense that simultaneously offers robust labels and systematic warning protection against patch attacks is desirable. This paper proposes a novel certified defense technique called CrossCert. CrossCert formulates a novel approach by cross-checking two certified recovery defenders to provide unwavering certification and detection certification. Unwavering certification ensures that a certified sample, when subjected to a patched perturbation, will always be returned with a benign label without triggering any warnings with a provable guarantee. To our knowledge, CrossCert is the first certified detection technique to offer this guarantee. Our experiments show that, with a slightly lower performance than ViP and a comparable performance with PatchCensor in terms of detection certification, CrossCert certifies a significant proportion of samples with the guarantee of unwavering certification. © 2024 Copyright held by the owner/author(s).
Research Area(s)
- Certification, Verification, Deep Learning Model, Certified Robustness, Patch Robustness, Worst-Case Analysis, Security
Bibliographic Note
Information for this record is supplemented by the author(s) concerned.
Citation Format(s)
CrossCert: A Cross-Checking Detection Approach to Patch Robustness Certification for Deep Learning Models. / ZHOU, Qilin; WEI, Zhengyuan; WANG, Haipeng et al.
Proceedings of the ACM on Software Engineering. ed. / Luciano Baresi. New York, NY: Association for Computing Machinery, 2024. p. 2725-2746 (Proceedings of the ACM on Software Engineering; Vol. 1, No. FSE).
Proceedings of the ACM on Software Engineering. ed. / Luciano Baresi. New York, NY: Association for Computing Machinery, 2024. p. 2725-2746 (Proceedings of the ACM on Software Engineering; Vol. 1, No. FSE).
Research output: Chapters, Conference Papers, Creative and Literary Works › RGC 32 - Refereed conference paper (with host publication) › peer-review
